Microsoft KeyVault best practices

Best practice rules for KeyVault

• App Tier Customer-Managed Key In Use

  Ensure that a Customer-Managed Key is created for your Azure cloud application tier.

• Azure Key Vault Cross-Subscription Access

  Ensure that Azure key vaults don't allow unknown cross-subscription access.

• Check for Allowed Certificate Key Types

  Ensure that Azure Key Vault certificates are using the appropriate key type(s).

• Check for Azure Key Vault Keys Expiration Date

  Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date.

• Check for Azure Key Vault Secrets Expiration Date

  Ensure that your Azure Key Vault secrets are renewed prior to their expiration date.

• Check for Certificate Minimum Key Size

  Ensure that Azure Key Vault RSA certificates are using the appropriate key size.

• Check for Certificate Validity Period

  Ensure that certificates stored in Azure Key Vault are valid for 12 months or less.

• Check for Key Vault Full Administrator Permissions

  Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults.

• Check for Sufficient Certificate Auto-Renewal Period

  Ensure there is a sufficient period configured for the SSL certificates auto-renewal.

• Database Tier Customer-Managed Key In Use

  Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud database tier.

• Enable AuditEvent Logging for Azure Key Vaults

  Ensure that logging for Azure KeyVault is 'Enabled'

• Enable Automatic Key Rotation

  Ensure that Automatic Key Rotation is enabled for Azure Key Vaults.

• Enable Certificate Transparency

  Ensure that certificate transparency is enabled for all your Azure Key Vault certificates.

• Enable Key Vault Recoverability

  Ensure that your Microsoft Azure Key Vault instances are recoverable.

• Enable Role-Based Access Control (RBAC) Authorization

  Ensure that RBAC authorization is enabled for Azure Key Vaults.

• Enable SSL Certificate Auto-Renewal

  Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates.

• Enable Trusted Microsoft Services for Key Vault Access

  Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. encryption keys, secrets and certificates).

• Ensure Purge Protection is Enabled for Key Vaults

  Ensure that 'Purge protection' is set to 'Enabled' for Azure Key Vaults to prevent permanent deletion of key vault objects and maintain data recoverability.

• Restrict Default Network Access for Azure Key Vaults

  Ensure that default network access (i.e. public access) rule is set to "Deny" within your Azure Key Vaults configuration.

• Set Azure Secret Key Expiration

  Ensure that an expiration date is set for all your Microsoft Azure secret keys.

• Set Encryption Key Expiration

  Ensure that an expiration date is configured for all your Microsoft Azure encryption keys.

• Use Private Endpoints for Key Vaults

  Ensure that network access to Azure Key Vaults is allowed via private endpoints only.

• Web Tier Customer-Managed Key In Use

  Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier.